10 May 2021

A bio research institute got infected with Ryuk ransomware because of pirated software


A bio research institute got infected with Ryuk ransomware because of pirated software

A European bio molecular research institute involved in COVID-19 related research has lost a week’s worth of vital research data because of a student who didn’t want to pay for licensed software, according to experts at Sophos’ Rapid Response team who shared some details of the incident.

The response team was called in after the bio molecular research institute suffered a Ryuk ransomware attack. Once the attack was contained and neutralized, the team set out to determine how the institute’s systems got infected in the first place.

The researchers discovered that the attackers gained domain access and used that to deploy the Ryuk ransomware through a series of scheduled tasks. Further investigation led them to a student who unwittingly paved a way to the ransomware.

“Human error can happen in any organization; the reason the mistake was able to progress to a fully-fledged attack was because the institute didn’t have the protection in place to contain the error. At the heart of this was its approach to letting people outside the organization access the network. Students working with the institute use their personal computers to access the institute’s network. They can connect into the network via remote Citrix sessions without the need for two factor-authentication,” Sophos explained in a blog post.

The said student wanted a personal copy of a data visualization software tool they were already using for work, but as a single user license was likely to cost them a hefty sum of money, they decided to hunt for a free alternative by posting a relevant question on an online research forum.

When the student couldn’t find a suitable free version, they searched for a cracked version instead. Once they found a suitable software they attempted to install it, which triggered a security alert from Windows Defender, so the student disabled it along with their firewall.

“However, instead of a cracked copy of the visualization tool they were after, the student got a malicious info-stealer that, once installed, began logging keystrokes, stealing browser, cookies and clipboard data and more. Somewhere along the way it apparently also found the student’s access credentials for the institute’s network,” Sophos said.

Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials. It came from a computer named “Totoro” (the name of the anime character).

The team determined that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made the Ryuk ransomware was launched.

“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access … In this case, the implementation of robust network authentication and access controls, combined with end user education might have prevented this attack from happening. It serves as a powerful reminder of how important it is to get the security basics right.”

Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021